Department of Health and Human Services. Centers for Medicare & Medicaid Services. Medicaid Integrity Program

Department of Health and Human Services

Centers for Medicare & Medicaid Services

Medicaid Integrity Program

Virginia Comprehensive Program Integrity Review

Final Report

March 2011

Reviewers:

Lauren Reinertsen, Review Team Leader Barbara Davidson

Tonya Fullen Mark Rogers

TABLE

OF

CONTENT

Introduction ...1

The Review ...1

Objectives of the Review ...1

Overview of Virginia’s Medicaid Program ...1

Program Integrity Section ...1

Methodology of the Review...2

Scope and Limitations of the Review ...2

Results of the Review ...3

Effective Practices ...4

Regulatory Compliance Issues ...5

Vulnerabilities ...8

I

The Centers for Medicare & Medicaid Services’ (CMS) Medicaid Integrity Group (MIG) conducted a comprehensive program integrity review of the Virginia Medicaid Program. The MIG review team conducted the onsite portion of the review at the Virginia Department of Medical Assistance Services (DMAS) offices. The review team also met with the Medicaid Fraud Control Unit (MFCU).

This review focused on the activities of DMAS’ Program Integrity (PI) division which is responsible for Medicaid program integrity in Virginia. Virginia has made significant strides in correcting instances of regulatory non-compliance and program vulnerabilities which were identified in a previous MIG review in July 2007. However, the MIG review team identified concerns that had not been fully addressed, particularly in the managed care and dental parts of the Medicaid program. This report describes one noteworthy practice, four effective practices, three regulatory compliance issues, and six vulnerabilities in the State’s program integrity operations.

T

R

Objectives of the Review

1. Determine compliance with Federal program integrity laws and regulations; 2. Identify program vulnerabilities and effective practices;

3. Help Virginia improve its overall program integrity efforts; and 4. Consider opportunities for future technical assistance.

Overview of Virginia’s Medicaid Program

The DMAS administers the Virginia Medicaid program. In the State fiscal year (SFY) ending June 30, 2009, the program served a total of 857,662 beneficiaries, 553,770 of whom were enrolled in 5 MCOs. Total Medicaid expenditures during SFY 2009 were $5,772,295,365. This figure includes $1,272,036,608 in payments to managed care organizations (MCOs). The State had 64,298 fee-for-service (FFS) enrolled providers, 37,915 MCO network providers, and 7 Program of All-Inclusive Care for the Elderly (PACE) programs as of January 1, 2009. During Federal fiscal year (FFY) 2009, the Federal medical assistance percentage (FMAP) for Virginia was 50 percent. Following the passage of the American Recovery and Reinvestment Act of 2009, the actual FMAP for Virginia during FFY 2009 increased to 58.78 percent in the first and second quarters, 60.19 percent in the third quarter, and 61.59 percent in the fourth quarter.

Program Integrity Section

In Virginia, the PI division within DMAS is the organizational component dedicated to fraud and abuse activities. At the time of the review, the PI division had 35 full-time equivalent staff focusing on Medicaid program integrity. The table below presents the number of preliminary and full investigations, the amount of overpayments identified and total recoupments in the past four SFYs.

Table 1 SFY Number of Preliminary Investigations* Number of Full Investigations** Amount of Overpayments Identified Amount of Overpayments Collected 2006 54 7 $8,841,798 $45,742,905 2007 27 17 $11,714,979 $62,858,807 2008 13 12 $5,868,240 $79,924,927 2009 9 9 $5,304,280 $83,899,736

*Preliminary investigations of fraud or abuse complaints determine if there is sufficient basis to warrant a full investigation.

**Full investigations are conducted when preliminary investigations provide reason to believe fraud or abuse has occurred. They are resolved through a referral to the Medicaid Fraud Control Unit or administrative or legal disposition.

Virginia reported that data on overpayments identified solely through program integrity activities were not broken out separately in its database. The amount of overpayments collected includes third party liability, cost settlements, audit contractor recoveries and provider self-adjustments (i.e., occurring when a provider discovers a billing error or receives an overpayment and those funds are returned to DMAS).

Methodology of the Review

In advance of the onsite visit, the review team requested that Virginia complete a comprehensive review guide and supply documentation in support of its answers. The review guide included such areas as program integrity, provider enrollment/disclosures, managed care, and the MFCU. A four-person team reviewed the responses and materials that the State provided in advance of the onsite visit.

During the week of October 26, 2009, the MIG review team visited the DMAS and MFCU offices. The team conducted interviews with numerous DMAS officials, the State’s provider enrollment, non-emergency medical transportation (NEMT) and consumer-directed personal care services (PCS) program contractors, and the MFCU director. Finally, to determine whether MCOs were complying with contract provisions and other Federal regulations relating to program integrity, the MIG team interviewed DMAS staff responsible for MCO contracting. The team also reviewed the managed care contract provisions and gathered information through interviews with representatives of three MCOs and two PACE programs. In addition, the team conducted sampling of provider enrollment applications, FFS and managed care case files, selected claims, and other primary data to validate the State’s program integrity practices.

Scope and Limitations of the Review

This review focused on the activities of DMAS as they relate to program integrity but also considered the work of other components and contractors responsible for a range of program integrity functions, including provider enrollment, managed care, dental services, PCS, and NEMT.

Virginia operates its Children’s Health Insurance Program (CHIP) both as a stand alone Title XXI program and a Title XIX Medicaid expansion program. The expansion program operates

under the same billing and provider enrollment policies as Virginia’s Title XIX program. The same findings, vulnerabilities, and effective practices discussed in relation to the Medicaid program also apply to the expansion CHIP. The stand alone program operates under the authority of Title XXI and is beyond the scope of this review.

Unless otherwise noted, Virginia provided the program integrity-related staffing and financial information cited in this report. For purposes of this review, the review team did not

independently verify any staffing or financial information that DMAS provided.

R

R

Noteworthy Practice

As part of its comprehensive review process, the CMS review team has identified one practice that merits consideration as a noteworthy or "best" practice. The CMS recommends that other States consider emulating this activity.

Checking for excluded personal care attendants (PCAs) in Virginia’s consumer-directed PCS program

Consumer-directed personal care services in Virginia have been growing rapidly since SFY 2006 when 1,500 consumers were served. As of September 2009, approximately 6,500 consumers were served by 16,000 PCAs. The majority are enrolled in the Elderly or Disabled in Consumer Direction (75 percent) and Intellectual Disability (18 percent) waiver programs. The State contracts with an entity that performs fiscal agent-like functions in enrolling PCAs and paying for consumer-directed services.

The review team was told that as a result of the two State Medicaid Director Letters (SMDLs) # 08-003 and #09-001, released on June 12, 2008 and January 16, 2009, respectively, DMAS implemented a procedure to check the consumer-directed PCAs for U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) exclusions. In September 2009, the PI division received from the PCS program contractor a comprehensive file listing all the PCAs that passed criminal record checks which the contractor had conducted as part of its attendant enrollment process. The DMAS then matched the list by first and last names against the HHS-OIG List of Excluded

Individuals/Entities (LEIE). The matched list was narrowed down to those individuals living in Virginia. The Social Security Number (SSN) was obtained from the contractor for those individuals who were then searched and verified again using the LEIE on the HHS-OIG website. Shortly before the onsite review, DMAS identified two excluded nurses who were providing consumer-directed services to Virginia Medicaid beneficiaries. At the time of the onsite review, their cases were being reviewed by the Virginia Attorney General’s Office. An overpayment had not yet been determined. This process is now a standard monthly procedure in the PI division. Although the systemic exclusion checking of PCAs is a commendable practice that other States should consider, the review team found other issues related to the search for exclusions which are discussed in the Vulnerabilities section of this report.

Effective Practices

As part of its comprehensive review process, the CMS also invites each State to self-report practices that it believes are effective and demonstrate its commitment to program integrity. The CMS does not conduct a detailed assessment of each State-reported effective practice. Virginia reported practices regarding a contractor's targeted audits, effective communication, an

automated database interface with the MMIS, and provider outreach on exclusion checking.

Enhanced auditing through contractors

Since CMS’ last program integrity review in July 2007, Virginia has continued the enhancement of its Medicaid audit program through the use of targeted audits conducted by a major contractor in each of three primary areas - general providers, ancillary

providers, and providers reimbursed using Diagnosis Related Group (DRG)

methodologies. The general provider audits cover home health, hospice, mental health, outpatient psychiatric and substance abuse services as well as personal care, physician services, private duty nursing, psychiatric residential treatment centers, respite care, and foster care case management providers participating in Virginia Medicaid. The ancillary provider auditing focuses on retail pharmacy, durable medical equipment, and home infusion therapy services, while the DRG audits focus on inpatient hospital services.

Effectively communicating program integrity concerns and providing training on an agency-wide basis

Recognizing that program integrity is an agency-wide responsibility, DMAS reorganized the management of its PI division prior to CMS’ last comprehensive review in July 2007. Since that reorganization, DMAS has continued to develop program integrity as an

agency-wide priority and its actions have effected a change in culture within the State Medicaid agency. To optimize the impact of edits in its Medicaid Management Information System (MMIS), DMAS has established an agency-wide Information Management committee that includes PI division representation and regularly discusses current and proposed edits for inclusion in prepayment reviews. The DMAS contract oversight division, which conducts monthly meetings with its MCOs, includes Medicaid program integrity concerns as an ongoing agenda item. The PI division also regularly interfaces with the long term care division responsible for Virginia’s consumer-directed PCS program and has influenced its development of the monthly PCA exclusion checks discussed below. Virginia also has increased the training of agency staff on program integrity-related subjects, including giving several State staff the opportunity to attend Medicaid Integrity Institute courses.

Automated Medicare Exclusion Database (MED) interface with Virginia’s MMIS In June 2009, the Virginia Medicaid program improved the process of checking State Medicaid providers whose information resides in the MMIS for exclusions by

incorporating an automated upload of the monthly MED files. This process allows both a prospective and retrospective check of providers to ensure that excluded individuals are not enrolled and participating in Virginia Medicaid. Provider enrollment staff employs an algorithm to match MMIS and MED files on a combination of provider name, National Provider Identifier, and SSN. Potential matches are displayed and edits prevent the operator from enrolling an excluded provider. Additionally, the monthly MED update is systematically compared to all enrolled providers in the MMIS to ensure the identification and termination of newly excluded providers who are already in the Medicaid system. Following its implementation, the process successfully identified a recently excluded provider. This led to his immediate termination from the program and referral to the PI division, which notified the HHS-OIG of the termination action. Although this automated system of exclusion checking is a valuable State initiative, the review team found other issues related to the search for exclusions which are discussed in the Vulnerabilities section of this report.

Expanded provider outreach and education on exclusion checking

In response to the SMDLs of June 2008 and January 2009 on the screening of Medicaid providers and related parties, DMAS also initiated a comprehensive outreach program targeted to all enrolled providers in the Virginia Medicaid program. In April 2009, the State Medicaid agency sent a detailed DMAS Medicaid Memorandum to all providers informing them of their role in screening and reporting employees and contractors to ensure excluded individuals or entities are not participating in any Federally funded health care program. Additionally, DMAS conducted several types of provider training on exclusion checking. The DMAS posted a recorded session and tutorial on how to check for excluded individuals and entities using HHS-OIG’s LEIE, which providers could view and download. It also hosted three question and answer sessions related to exclusion checking. Additionally, DMAS included information regarding excluded individuals in its physician liaison training and in its statewide sessions on personal and respite care

services. The DMAS covered the same topic in training on its children’s community mental health rehabilitation and mental retardation waiver program. These training sessions reached 1,091 providers. Following the memorandum on exclusion checking, DMAS also updated all of its provider manuals to include exclusion checking

requirements and instructions on how to conduct searches. It further updated the DMAS website with links to additional information on exclusions.

Regulatory Compliance Issues

The State is not in compliance with Federal regulations related to required disclosure and notification activities.

The State does not capture all required ownership, control, and relationship information from FFS providers, fiscal and quasi-fiscal agents, dental broker, and contracted MCOs.

(Uncorrected Partial Repeat Finding)

Under 42 CFR § 455.104(a)(1), a provider, or “disclosing entity,” that is subject to periodic survey under § 455.104(b)(1) must disclose to the State surveying agency, which then must provide to the Medicaid agency, the name and address of each person with an ownership or controlling interest in the disclosing entity or in any subcontractor in which the disclosing entity has a direct or indirect ownership interest of 5 percent or more. A disclosing entity that is not subject to periodic survey under § 455.104(b)(2) must disclose to the Medicaid agency, prior to enrolling, the name and address of each person with an ownership or controlling interest in the disclosing entity or in any subcontractor in which the disclosing entity has a direct or indirect ownership interest of 5 percent or more. Additionally, under § 455.104(a)(2), a disclosing entity must disclose whether any of the named persons is related to another as spouse, parent, child, or sibling. Moreover, under § 455.104(a)(3), there must be disclosure of the name of any other disclosing entity in which a person with an ownership or controlling interest in the disclosing entity has an ownership or controlling interest. In addition, under § 455.104(c), the State agency may not contract with a provider or fiscal agent that has not disclosed ownership or control information required under this section.

During the review, the MIG team found evidence that Virginia has endeavored to address the § 455.104 disclosure issues identified during the last CMS program integrity review in July 2007. The State’s corrective actions include the addition of a form to multiple FFS provider applications which captures required disclosure elements. However, the new form still does not collect one element required by the regulation. It does not capture spousal, parent, child, or sibling relationships of each person with an ownership or control interest in any subcontractor in which the disclosing entity has direct or indirect ownership of 5 percent or more. This leaves the State partially out of compliance with the regulation and is a partial repeat finding.

In addition, Virginia did not provide evidence that it collected the required disclosures from its contracted fiscal agent and the quasi-fiscal agents that process claims for NEMT and consumer-directed personal care services before the State entered into or renewed contracts with these entities. The DMAS likewise could not document that it obtained the required disclosures from its dental broker, an administrative services organization which performs the functions of a fiscal agent in processing Medicaid dental claims. Lastly, the State failed to provide evidence that it collected the required disclosures from its contracted Medicaid MCOs, with the possible

exception of one MCO which indicated that it provided the former CMS-1513 form as part of the contracting process.

Additionally, since Virginia does not require providers to re-enroll, Medicaid providers enrolled prior to the application update in September 2009 do not have updated provider disclosure information.

Recommendations: Modify all provider enrollment applications and contracts to capture the required relationship information. Obtain necessary disclosures from State-contracted MCOs, the fiscal agent, and other contractors performing fiscal agent functions, including the dental contractor.

Virginia’s FFS provider enrollment agreement and MCO contracts do not require the disclosure of business transactions upon request. (Uncorrected Repeat Finding)

The regulation at 42 CFR § 455.105(b)(2) requires that, upon request, providers furnish to the State or the U.S. Department of Health & Human Services information about certain business transactions with wholly owned suppliers or any subcontractors.

Virginia's FFS provider agreement and the State’s contract with its MCOs do not include a statement requiring the FFS providers and MCOs to disclose the specified business transaction information to the Secretary or the Medicaid agency upon request. The documents also contain no reference to a 35-day time frame, although the regulation states that providers must submit business transaction information within 35 days of the date on a request by the Secretary or the Medicaid agency. This is a repeat finding.

Recommendation: Modify FFS provider agreements and MCO contracts to require disclosure upon request of the information identified in 42 CFR § 455.105(b).

Virginia’s MCO contracts do not require criminal conviction disclosures from owners and managing employees. (Uncorrected Repeat Finding)

The regulation at 42 CFR § 455.106 stipulates that providers must disclose to Medicaid agencies any criminal convictions related to Medicare, Medicaid, or Title XX programs at the time they apply or renew their applications for Medicaid participation or at any time on request. The regulation further requires that the Medicaid agency notify HHS-OIG whenever such disclosures are made.

The DMAS contract with the MCOs does not require specified MCO personnel, such as owners and managing employees, to disclose health care-related criminal conviction information. The State also provided no evidence that MCOs in actual practice gathered and forwarded this information to the State agency, which would then allow DMAS to notify HHS-OIG of the disclosures as is required.

The MIG found Virginia out of compliance with 42 CFR § 455.106 during its 2007 program integrity review. Although DMAS has modified its FFS enrollment applications to come into compliance on criminal conviction disclosures, this is a repeat finding with regard to equivalent disclosures by key Medicaid MCO personnel.

Recommendation: Develop and implement a process for collecting health care-related criminal conviction disclosures from MCO personnel, including owners and managing employees, and for reporting disclosed convictions to HHS-OIG as required by the regulation.

Vulnerabilities

The review team identified six areas of vulnerability in Virginia’s program integrity practices. These included issues relating to managed care network provider disclosures, the incomplete checking of provider exclusions, the failure to conduct beneficiary service verifications in the managed care program, and not requiring MCOs to notify the State agency of adverse actions take on MCO network provider applications.

Not collecting all required ownership and disclosure information from MCO network and dental providers.

Not all applications used by Virginia’s MCOs collect the ownership and control disclosures from MCO network providers that Federal regulations at 42 CFR § 455.104 would otherwise require from FFS providers.

In their internal credentialing process, the MCOs use the Council for Affordable Quality Healthcare (CAQH) provider application form which does not ask for information on persons with ownership and control interests in the provider, family relationships among such persons, and interlocking relationships of ownership and control with subcontractors. Although all three of the MCOs interviewed had supplemented the CAQH form with addenda to gather further disclosure information, two of three addenda did not include the relationships of persons with a greater than 5 percent interest in the provider and related subcontractors.

Virginia’s dental administrative services contractor, which processes dental provider

applications, also did not request the full range of required ownership and control disclosure information on its application forms.

Recommendation: Revise MCO network provider and dental provider applications to collect the same information on persons with ownership and control interests in the provider that is required in the FFS system. This should include information on family relationships among persons with ownership and control interests and the interlocking relationships of ownership and control with subcontractors.

Not requiring the disclosure of business transaction information from dental and MCO network providers.

The dental provider agreements and all of the three MCO network provider agreements reviewed by the team do not contain language requiring providers to supply the same business transaction disclosures upon request that are required of FFS providers. There is also no provision requiring transmission of the requested disclosures within the 35-day time frame specified for FFS

providers.

Recommendation: Modify the dental provider agreements and MCO network provider agreements to require timely disclosure, upon request, of the required business transaction information.

Not capturing criminal conviction information on managing employees of dental and MCO network providers.

Virginia’s dental provider applications do not collect the required health care-related criminal conviction disclosures from managing employees which Federal regulations at 42 CFR §455.106 would otherwise require FFS providers to furnish. One of the three MCOs interviewed also did not collect criminal conviction information from its managing employees. This prevents the Medicaid agency from sending timely notifications of such disclosures to HHS-OIG, as required by the regulation.

Recommendation: Develop and implement a process to collect and report health care-related criminal conviction information from managing employees of dental and MCO network providers as specified in 42 CFR § 455.106.

Not checking exclusion databases for all providers, owners and managing employees on a monthly basis.

On June 12, 2008, CMS issued SMDL #08-003 providing guidance to States on checking providers and contractors for excluded individuals. A follow-up SMDL (#09-001) dated January 16, 2009 provided further guidance to States on how to instruct providers to screen their own staff and subcontractors for excluded parties.

During a walkthrough of the provider enrollment process, the review team noted that provider enrollment staff check FFS providers against the MED on a monthly basis. However, although information on owners, officers, managing employees and other principals is collected on the enrollment application, the State does not maintain complete information on such parties in the MMIS or an equivalent repository where they can be searched for exclusions on an ongoing monthly basis. Failure to maintain the information in a searchable format prevents DMAS from knowing whether excluded parties are working for health care entities in responsible positions such as billing managers and department heads.

Additionally, one of three MCOs and two PACE programs indicated during interviews that they only check for exclusions during the provider application process and annually thereafter.

This contradicts the guidance in the two SMDLs and the State's notice mailed to all providers regarding the scope and frequency of exclusion checking in provider operations. Although Virginia has made good progress in developing automated exclusion searches and in its provider education material, the incompleteness of the searches currently applied to related parties in both the FFS and managed care programs remains to be addressed.

Recommendations: Ensure that providers are following the guidance in the State's April 2009 Medicaid Memorandum. Develop and implement a process for expanding monthly exclusion checking to include owners and managing employees within the FFS Medicaid program and to encompass providers, owners and managing employees in the MCO and PACE provider networks.

Not verifying with managed care enrollees whether services billed by MCO network providers were received.

Virginia meets the requirements of 42 CFR § 455.20 by sending explanations of medical benefits to FFS beneficiaries. In addition, Virginia’s Medallion II Contract with the MCOs contains a provision requiring beneficiary verification of receipt of services. However, two of the three MCOs interviewed indicated that they did not routinely verify the receipt of services with Medicaid enrollees. They only did so when conducting specific provider investigations.

Recommendation: Enforce and monitor MCO compliance with the existing contract provision requiring that MCOs have a method for verifying with beneficiaries whether billed services were received.

Not reporting to HHS-OIG adverse actions taken on managed care provider applications. (Uncorrected Repeat Vulnerability)

Although MCOs indicated that they are reporting program integrity-related network provider terminations to the Medicaid agency, the MCOs are not reporting adverse actions taken on provider applications for participation in the MCO Medicaid network. This omission may make it easier for problem providers to find a way into other MCOs and the FFS program undetected. The failure of MCOs to notify the Medicaid agency of adverse actions taken for program integrity reasons also precludes the Medicaid agency from reporting such actions to the HHS-OIG, as the regulation at 42 CFR § 1002.3(b) would require in the FFS program.

This is a repeat issue from Virginia’s 2007 program integrity review which found that adverse actions taken against FFS providers were not reported to the HHS-OIG. This FFS issue has been corrected by Virginia.

Recommendations: Require contracted MCOs to notify the State agency when they deny providers credentialing for program integrity-related reasons. Develop and implement procedures for reporting these adverse actions to HHS-OIG.

C

The State of Virginia applies some noteworthy and effective practices that demonstrate program strengths and the State’s commitment to program integrity. These practices include:

• ongoing checks for excluded PCAs in the consumer-directed personal care program,

• enhanced auditing through contractors,

• effective communication of program integrity concerns and provision of training on an agency-wide basis,

• automated MED interface with Virginia’s MMIS, and

• expanded provider outreach and education on exclusion checking.

The CMS supports the State's efforts and encourages it to look for additional opportunities to improve overall program integrity.

Although Virginia has made considerable progress in addressing deficiencies identified during the 2007 MIG review, the identification of three areas of non-compliance with Federal

regulations is of concern and should be addressed immediately. In addition, six areas of vulnerability were identified. The CMS encourages Virginia’s PI division to closely examine each area of vulnerability that was identified in this review.

It is important that these issues be rectified as soon as possible. To that end, we will require Virginia to provide a corrective action plan for each area of non-compliance within 30 calendar days from the date of the final report letter. Further, we will request the State include in that plan a description of how it will address the vulnerabilities identified in this report.

The corrective action plan should address how the State of Virginia will ensure that the

deficiencies will not recur. It should include the timeframes for each correction along with the specific steps the State expects will occur. Please provide an explanation if correcting any of the regulatory compliance issues or vulnerabilities will take more than 90 calendar days from the date of the letter. If Virginia has already taken action to correct compliance deficiencies or vulnerabilities, the plan should identify those corrections as well.

The Medicaid Integrity Group looks forward to working with the State of Virginia on correcting its areas of non-compliance, eliminating its areas of vulnerability, and building on its effective practices.